Practice/Industry Group Overview
Technology has made it easy for companies to collect, copy and transfer personal data around the world. Many clients seek to take advantage of this through centralized systems and service providers, often resulting in the need for cross-border data transfers. At the same time, new privacy and security laws in a number of key jurisdictions—including the European Union, United States, Canada, Hong Kong and Australia—are imposing complex requirements and challenges for multinational organizations.
Mayer Brown’s Privacy & Security practice is comprised of experienced lawyers from a range of disciplines, including regulatory, intellectual property, employment and business & technology sourcing. We work with major corporations worldwide to help them comply with data privacy and security regulatory obligations, and to develop practical cross-border data transfer solutions—for both affiliated company transfers and for transfers to nonaffiliated parties, such as service providers and outsourcers.
Our group also advises on developing data breach notification policies and other security and privacy compliance enterprise management, and regularly counsels corporations on their obligations and risk exposure in the event of a data breach. And if a breach results in litigation, we have experienced trial and appellate lawyers to handle even the most complex cases.
Many privacy matters raise issues that span multiple legal practices and countries. With our global platform our firm can serve clients across the full range of domestic, international and cross-border privacy issues.
Drawing from our experienced multidisciplinary team of lawyers, the Privacy & Security practice offers broad-reaching legal advice to all our clients. We regularly work in the financial services regulatory, intellectual property, outsourcing and information technology areas when advising our clients on privacy and security matters in the following main categories:
PRIVACY AND SECURITY AUDITS
We work with clients to conduct security and privacy audits to determine the adequacy of their company’s security policies, procedures, information systems and documentation, taking into account federal and state laws and regulations as well as industry best practices with respect to information security, such as ISO Standard 27001. We warn clients about potential exposures for use or misuse of private information and how to properly devise their data and security policies. This includes training for employees and vendors regarding privacy compliance. Some repre¬sentative areas of our experience include:
- Audit plans
- Mapping data transfers, uses and flows
- Strategy, planning and execution of data security and privacy policies
Data protection requirements vary significantly between countries (and even between EU member states). Therefore, basic compliance programs need to take into account all the data protection regimes to which a company may be exposed. We frequently assist our clients with the preparation of global compliance programs that adhere to the relevant local data protection laws while also taking into account the clients’ commercial and business needs.
We are known worldwide for our experience in data protection law and our ability to manage global privacy and data protection projects. Our clients rely on the lawyers in our practice to interpret the various laws, regulations, directives and other legal frame¬works issued in jurisdictions around the world to advise them on the best approaches for compliance.
From industry-specific statutes and compliance programs to worldwide jurisdictional privacy compli¬ance laws, our lawyers are able to provide practical advice based on years of experience. Our compliance experience includes advising clients in the monitoring of electronic communications by employers, the transfer of employee data and responding to employee requests for access to data. Some representative areas of our experience include:
- Legal and regulatory advice
- Review of websites and privacy notices
- Policies and procedures
- Product review for privacy issues
- EU data protection registration and compliance
- Safe harbor certification
- Payment card industry standards
CORPORATE TRANSACTIONS AND OUTSOURCING
The Sarbanes-Oxley Act and its implementing regulations have caused many publicly traded compa¬nies to more carefully scrutinize their service provider arrangements, particularly as they relate to internal controls and financial statements. Because many of our clients use outsourcing service providers, whether onshore or offshore, we help them implement a security and privacy process generally, with specific steps that pertain to service providers, and other corporate transaction considerations.
- Due diligence on privacy assets, issues and exposure
- Data protection and security agreements
- Cross-border data transfer arrangements
- Review of vendor agreements for compliance
While companies work toward data protection policies and best practices, accidental disclosure of information and security breaches can still occur. We have successfully defended clients in class actions, private lawsuits and privacy investigations brought by state and federal regulatory agencies, and we regularly offer advice on pre- and post-security breach responses.
- Strategy and defense against private lawsuits alleging privacy or security violations
- Defending class action suits
- Defending against data security breach claims
- Responding to government and third-party requests for private information
FTC AND STATE ATTORNEY GENERAL INVESTIGATIONS
- Negotiating with multistate AG investigatory teams
- Preparing consent decrees
- Providing representation before the FTC
- EU Data Protection Commissioners
- Advising clients following requests from EU data protection commissioners
- Addressing notification requirements following transfer of personal data out of the European Union
- Consulting with data protection authorities regarding client’s obligations under local data protection laws
SECURITY BREACH RESPONSE
Security breach action plans are needed due to the proliferation of database breach notification acts and regulatory guidance. Our practice advises on the drafting, execution and integration of these plans to minimize the risk of future breaches.
- Drafting security breach response plans
- Counseling during security breach incidents (including coordination with public relations departments)
- Implementing appropriate responses to data security incidents
- Providing pre-litigation support
PRIVACY STRATEGY, PLANNING AND EDUCATION
- Advising about potential exposure for use or misuse of private information
- Planning regarding data and security policies
- Analyzing EU data transfer compliance options
- Training employees and vendors regarding privacy compliance